A media access control address (MAC address) of a device is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment. MAC addresses are used as a network address for most IEEE 802 network technologies, including Ethernet and Wi-Fi. Logically. MAC addresses are used in the media access control protocol sublayer of the OSI (Open Systems Interconnection) reference model.
MAC addresses are most often assigned by the manufacturer of a network interface controller (NIC) and are stored in its hardware, such as the card's read-only memory or some other firmware mechanism. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number and may be referred to as the burned-in address (BIA). It may also be known as an Ethernet hardware address (EHA), hardware address or physical address (not to be confused with a memory physical address). This can be contrasted to a programmed address, where the host device issues commands to the NIC to use an arbitrary address.
A network node may have multiple NICs and each NIC must have a unique MAC address. Sophisticated network equipment such as a multilayer switch or router may require one or more permanently assigned MAC addresses.
MAC addresses are formed according to the rules of one of three numbering name spaces managed by the Institute of Electrical and Electronics Engineers (IEEE): MAC-48, EUI-48, and EUI-64. The IEEE claims trademarks on the names EUI-48 and EUI-64, in which EUI is an abbreviation for Extended Unique Identifier.
The US National Security Agency has a system that tracks the movements of everyone in a city by monitoring the MAC addresses of their electronic devices. As a result of users being trackable by their devices' MAC addresses, some companies like Apple have started using random MAC addresses in their iOS line of devices while scanning for networks. If random MAC addresses are not used, researchers have confirmed that it is possible to link a real identity to a particular wireless MAC address.
Many network interfaces (including wireless ones) support changing their MAC address. The configuration is specific to the operating system. On most Unix-like systems, the ifconfig command may be used to add and remove “link” (Ethernet MAC family) address aliases. For instance, the “active” ifconfig directive may then be used on NetBSD to specify which of the attached addresses to activate. Hence, various configuration scripts and utilities allow to randomize the MAC address at boot or network connection time.
Using wireless access points in service set identification (SSID)-hidden mode (see network cloaking), a mobile wireless device may not only disclose its own MAC address when traveling, but even the MAC addresses associated to SSIDs the device has already connected to, if they are configured to send these as part of probe request packets. Alternative modes to prevent this include configuring access points to be either in beacon-broadcasting mode, or probe-response with SSID mode. In these modes, probe requests may be unnecessary, or sent in broadcast mode without disclosing the identity of previously-known networks.
Even with a random address, hackers can obtain a MAC address and do much damage. When a hacker has a user's MAC Address and the hacker and the user both belong to the same Network, the hacker can spoof the router's MAC address and pretend to be the router. The hacker can steal the user's credentials by doing a “Man in the Middle” attack or attacks similar to that in which MAC address plays an important role. In another scenario, the hacker can pretend to be user and trick the user's router to authenticate the hacker. This normally happens in a two-way handshake, where an already authenticated device is sent a key which can be manipulated by MAC Address. Hackers have been able to hack into many different computer systems such as government systems, Target, and others seeking personal data and financial data.
In another scenario, a further issue is managing communications between different networks that have different security clearances. For example, one network within a government or enterprise might have a low-level of security and a second network might have a high level of security. Individuals on the different networks may desire to share information across the network. These different networks can be called security enclaves or can have different security class levels. Given the different networks, individuals cannot at-will from one network (say the low-level security network) be able access data or devices on the other network (the high security network). In some cases, the secure network is completely separated from outside networks or the Internet to ensure that it is unhackable to the extent possible with current and predictable emerging technologies. One way of being able to exchange data between such networks is to manually carry data into the secure network and manually type the data into the secure network. This manual process does not provide a real-time update of information on the secure network and would therefore not work in many scenarios where real-time data is desired to be provided to a secure protected enclave.
What is needed is an improved mechanism of protecting devices from hackers and other bad actors on a network.